使用udev规则或 Linux 内核黑名单

tag-icon tag-icon networking usb
使用udev规则或 Linux 内核黑名单

这个视频展示了一种攻击方式,即将 USB 设备连接到锁定的计算机后,几乎可以接管所有当前正在运行的浏览器。诀窍在于,USB 设备充当 USB 上的以太网,笔记本电脑会自动尝试连接到此类设备。

我的工作电脑有一个真正的以太网端口,我几乎只使用 wifi。我预计不需要使用 4G 加密狗之类的东西。我可以通过首先阻止 USB 以太网工作来缓解这种攻击。(视频中建议的替代缓解措施,即在我的 USB 端口上涂抹水泥,听起来不太诱人。此外,可以使用扩展坞来解决。)

我怎样才能做到这一点?

答案1

使用udev规则或 Linux 内核黑名单

是的,这是可能的,但我不确定它是否能阻止所有此类攻击。我只有一个设备,我不能说这是一个通用的解决方案。

我在 Ubuntu 21.10 中检查了 USB 网络密钥。

信息收集

  1. udevadm monitor -u

    monitor will print the received events for:
UDEV - the event which udev sends out after rule processing

UDEV  [108.870714] add      /devices/pci0000:00/0000:00:06.0/usb2/2-2 (usb)
UDEV  [108.951632] add      /module/mii (module)
UDEV  [108.970818] add      /module/usbnet (module)
UDEV  [114.296923] add      /bus/usb/drivers/dm9601 (drivers)
UDEV  [114.310640] add      /module/dm9601 (module)
UDEV  [114.316277] add      /bus/usb/drivers/sr9700 (drivers)
UDEV  [114.324254] add      /module/sr9700 (module)
UDEV  [114.325188] add      /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0 (usb)
UDEV  [114.361207] bind     /devices/pci0000:00/0000:00:06.0/usb2/2-2 (usb)
UDEV  [114.446039] add      /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/net/enx00e04c534458 (net)
UDEV  [114.471800] add      /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/net/eth0/queues/tx-0 (queues)
UDEV  [114.591649] add      /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/net/eth0/queues/rx-0 (queues)
UDEV  [114.602864] bind     /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0 (usb)
UDEV  [115.079106] move     /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/net/enx00e04c534458 (net)

  2. udevadm info -a -p /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/net/enx00e04c534458

     Udevadm info starts with the device specified by the devpath and then
 walks up the chain of parent devices. It prints for every device
 found, all possible attributes in the udev rules key format.
 A rule to match, can be composed by the attributes of the device
 and the attributes from one single parent device.

  looking at device '/devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/net/enx00e04c534458':

   KERNEL=="enx00e04c534458"
     SUBSYSTEM=="net"
     DRIVER==""
      ATTR{addr_assign_type}=="0"
     ATTR{addr_len}=="6"
     ATTR{address}=="00:e0:4c:53:44:58"
     ATTR{broadcast}=="ff:ff:ff:ff:ff:ff"
     ATTR{carrier}=="0"
     ATTR{carrier_changes}=="3"
     ATTR{carrier_down_count}=="2"
     ATTR{carrier_up_count}=="1"
     ATTR{dev_id}=="0x0"
     ATTR{dev_port}=="0"
     ATTR{dormant}=="0"
     ATTR{duplex}=="full"
     ATTR{flags}=="0x1003"
     ATTR{gro_flush_timeout}=="0"
     ATTR{ifalias}==""
     ATTR{ifindex}=="3"
     ATTR{iflink}=="3"
     ATTR{link_mode}=="0"
     ATTR{mtu}=="1500"
     ATTR{name_assign_type}=="4"
     ATTR{napi_defer_hard_irqs}=="0"
     ATTR{netdev_group}=="0"
     ATTR{operstate}=="down"
     ATTR{power/async}=="disabled"
     ATTR{power/control}=="auto"
     ATTR{power/runtime_active_kids}=="0"
     ATTR{power/runtime_active_time}=="0"
     ATTR{power/runtime_enabled}=="disabled"
     ATTR{power/runtime_status}=="unsupported"
     ATTR{power/runtime_suspended_time}=="0"
     ATTR{power/runtime_usage}=="0"
     ATTR{proto_down}=="0"
     ATTR{queues/rx-0/rps_cpus}=="0"
     ATTR{queues/rx-0/rps_flow_cnt}=="0"
     ATTR{queues/tx-0/byte_queue_limits/hold_time}=="1000"
     ATTR{queues/tx-0/byte_queue_limits/inflight}=="0"
     ATTR{queues/tx-0/byte_queue_limits/limit}=="0"
     ATTR{queues/tx-0/byte_queue_limits/limit_max}=="1879048192"
     ATTR{queues/tx-0/byte_queue_limits/limit_min}=="0"
     ATTR{queues/tx-0/tx_maxrate}=="0"
     ATTR{queues/tx-0/tx_timeout}=="0"
     ATTR{queues/tx-0/xps_rxqs}=="0"
     ATTR{speed}=="100"
     ATTR{statistics/collisions}=="0"
     ATTR{statistics/multicast}=="0"
     ATTR{statistics/rx_bytes}=="0"
     ATTR{statistics/rx_compressed}=="0"
     ATTR{statistics/rx_crc_errors}=="0"
     ATTR{statistics/rx_dropped}=="0"
     ATTR{statistics/rx_errors}=="0"
     ATTR{statistics/rx_fifo_errors}=="0"
     ATTR{statistics/rx_frame_errors}=="0"
     ATTR{statistics/rx_length_errors}=="0"
     ATTR{statistics/rx_missed_errors}=="0"
     ATTR{statistics/rx_nohandler}=="0"
     ATTR{statistics/rx_over_errors}=="0"
     ATTR{statistics/rx_packets}=="0"
     ATTR{statistics/tx_aborted_errors}=="0"
     ATTR{statistics/tx_bytes}=="0"
     ATTR{statistics/tx_carrier_errors}=="0"
     ATTR{statistics/tx_compressed}=="0"
     ATTR{statistics/tx_dropped}=="0"
     ATTR{statistics/tx_errors}=="0"
     ATTR{statistics/tx_fifo_errors}=="0"
     ATTR{statistics/tx_heartbeat_errors}=="0"
     ATTR{statistics/tx_packets}=="0"
     ATTR{statistics/tx_window_errors}=="0"
     ATTR{testing}=="0"
     ATTR{threaded}=="0"
     ATTR{tx_queue_len}=="1000"
     ATTR{type}=="1"

   looking at parent device '/devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0':
     KERNELS=="2-2:1.0"
     SUBSYSTEMS=="usb"
     DRIVERS=="dm9601"
     ATTRS{authorized}=="1"
     ATTRS{bAlternateSetting}==" 0"
     ATTRS{bInterfaceClass}=="00"
     ATTRS{bInterfaceNumber}=="00"
     ATTRS{bInterfaceProtocol}=="00"
     ATTRS{bInterfaceSubClass}=="00"
     ATTRS{bNumEndpoints}=="03"
     ATTRS{power/async}=="enabled"
     ATTRS{power/runtime_active_kids}=="0"
     ATTRS{power/runtime_enabled}=="enabled"
     ATTRS{power/runtime_status}=="active"
     ATTRS{power/runtime_usage}=="1"
     ATTRS{supports_autosuspend}=="1"

   looking at parent device '/devices/pci0000:00/0000:00:06.0/usb2/2-2':
     KERNELS=="2-2"
     SUBSYSTEMS=="usb"
     DRIVERS=="usb"
     ATTRS{authorized}=="1"
     ATTRS{avoid_reset_quirk}=="0"
     ATTRS{bConfigurationValue}=="1"
     ATTRS{bDeviceClass}=="00"
     ATTRS{bDeviceProtocol}=="00"
     ATTRS{bDeviceSubClass}=="00"
     ATTRS{bMaxPacketSize0}=="64"
     ATTRS{bMaxPower}=="120mA"
     ATTRS{bNumConfigurations}=="1"
     ATTRS{bNumInterfaces}==" 1"
     ATTRS{bcdDevice}=="0101"
     ATTRS{bmAttributes}=="80"
     ATTRS{busnum}=="2"
     ATTRS{configuration}==""
     ATTRS{devnum}=="3"
     ATTRS{devpath}=="2"
     ATTRS{idProduct}=="9700"
     ATTRS{idVendor}=="0fe6"
     ATTRS{ltm_capable}=="no"
     ATTRS{maxchild}=="0"
     ATTRS{power/active_duration}=="124280"
     ATTRS{power/async}=="enabled"
     ATTRS{power/autosuspend}=="2"
     ATTRS{power/autosuspend_delay_ms}=="2000"
     ATTRS{power/connected_duration}=="124280"
     ATTRS{power/control}=="on"
     ATTRS{power/level}=="on"
     ATTRS{power/persist}=="1"
     ATTRS{power/runtime_active_kids}=="1"
     ATTRS{power/runtime_active_time}=="123743"
     ATTRS{power/runtime_enabled}=="forbidden"
     ATTRS{power/runtime_status}=="active"
     ATTRS{power/runtime_suspended_time}=="0"
     ATTRS{power/runtime_usage}=="1"
     ATTRS{product}=="USB 2.0 10/100M Ethernet Adaptor"
     ATTRS{quirks}=="0x0"
     ATTRS{removable}=="unknown"
     ATTRS{rx_lanes}=="1"
     ATTRS{speed}=="12"
     ATTRS{tx_lanes}=="1"
     ATTRS{urbnum}=="42458"
     ATTRS{version}==" 1.10"

   looking at parent device '/devices/pci0000:00/0000:00:06.0/usb2':
     KERNELS=="usb2"
     SUBSYSTEMS=="usb"
     DRIVERS=="usb"
     ATTRS{authorized}=="1"
     ATTRS{authorized_default}=="1"
     ATTRS{avoid_reset_quirk}=="0"
     ATTRS{bConfigurationValue}=="1"
     ATTRS{bDeviceClass}=="09"
     ATTRS{bDeviceProtocol}=="00"
     ATTRS{bDeviceSubClass}=="00"
     ATTRS{bMaxPacketSize0}=="64"
     ATTRS{bMaxPower}=="0mA"
     ATTRS{bNumConfigurations}=="1"
     ATTRS{bNumInterfaces}==" 1"
     ATTRS{bcdDevice}=="0513"
     ATTRS{bmAttributes}=="e0"
     ATTRS{busnum}=="2"
     ATTRS{configuration}==""
     ATTRS{devnum}=="1"
     ATTRS{devpath}=="0"
     ATTRS{idProduct}=="0001"
     ATTRS{idVendor}=="1d6b"
     ATTRS{interface_authorized_default}=="1"
     ATTRS{ltm_capable}=="no"
     ATTRS{manufacturer}=="Linux 5.13.0-22-generic ohci_hcd"
     ATTRS{maxchild}=="12"
     ATTRS{power/active_duration}=="232196"
     ATTRS{power/async}=="enabled"
     ATTRS{power/autosuspend}=="0"
     ATTRS{power/autosuspend_delay_ms}=="0"
     ATTRS{power/connected_duration}=="232196"
     ATTRS{power/control}=="auto"
     ATTRS{power/level}=="auto"
     ATTRS{power/runtime_active_kids}=="2"
     ATTRS{power/runtime_active_time}=="232137"
     ATTRS{power/runtime_enabled}=="enabled"
     ATTRS{power/runtime_status}=="active"
     ATTRS{power/runtime_suspended_time}=="0"
     ATTRS{power/runtime_usage}=="0"
     ATTRS{power/wakeup}=="disabled"
     ATTRS{power/wakeup_abort_count}==""
     ATTRS{power/wakeup_active}==""
     ATTRS{power/wakeup_active_count}==""
     ATTRS{power/wakeup_count}==""
     ATTRS{power/wakeup_expire_count}==""
     ATTRS{power/wakeup_last_time_ms}==""
     ATTRS{power/wakeup_max_time_ms}==""
     ATTRS{power/wakeup_total_time_ms}==""
     ATTRS{product}=="OHCI PCI host controller"
     ATTRS{quirks}=="0x0"
     ATTRS{removable}=="unknown"
     ATTRS{rx_lanes}=="1"
     ATTRS{serial}=="0000:00:06.0"
     ATTRS{speed}=="12"
     ATTRS{tx_lanes}=="1"
     ATTRS{urbnum}=="65"
     ATTRS{version}==" 1.10"

   looking at parent device '/devices/pci0000:00/0000:00:06.0':
     KERNELS=="0000:00:06.0"
     SUBSYSTEMS=="pci"
     DRIVERS=="ohci-pci"
     ATTRS{ari_enabled}=="0"
     ATTRS{broken_parity_status}=="0"
     ATTRS{class}=="0x0c0310"
     ATTRS{consistent_dma_mask_bits}=="32"
     ATTRS{d3cold_allowed}=="0"
     ATTRS{device}=="0x003f"
     ATTRS{dma_mask_bits}=="32"
     ATTRS{driver_override}=="(null)"
     ATTRS{enable}=="1"
     ATTRS{irq}=="22"
     ATTRS{local_cpulist}=="0"
     ATTRS{local_cpus}=="1"
     ATTRS{msi_bus}=="1"
     ATTRS{numa_node}=="-1"
     ATTRS{power/async}=="enabled"
     ATTRS{power/control}=="on"
     ATTRS{power/runtime_active_kids}=="1"
     ATTRS{power/runtime_active_time}=="232396"
     ATTRS{power/runtime_enabled}=="forbidden"
     ATTRS{power/runtime_status}=="active"
     ATTRS{power/runtime_suspended_time}=="0"
     ATTRS{power/runtime_usage}=="2"
     ATTRS{power/wakeup}=="enabled"
     ATTRS{power/wakeup_abort_count}=="0"
     ATTRS{power/wakeup_active}=="0"
     ATTRS{power/wakeup_active_count}=="0"
     ATTRS{power/wakeup_count}=="0"
     ATTRS{power/wakeup_expire_count}=="0"
     ATTRS{power/wakeup_last_time_ms}=="0"
     ATTRS{power/wakeup_max_time_ms}=="0"
     ATTRS{power/wakeup_total_time_ms}=="0"
     ATTRS{power_state}=="D0"
     ATTRS{revision}=="0x00"
     ATTRS{subsystem_device}=="0x0000"
     ATTRS{subsystem_vendor}=="0x0000"
     ATTRS{vendor}=="0x106b"

   looking at parent device '/devices/pci0000:00':
     KERNELS=="pci0000:00"
     SUBSYSTEMS==""
     DRIVERS==""
     ATTRS{power/async}=="enabled"
     ATTRS{power/control}=="auto"
     ATTRS{power/runtime_active_kids}=="11"
     ATTRS{power/runtime_active_time}=="0"
     ATTRS{power/runtime_enabled}=="disabled"
     ATTRS{power/runtime_status}=="unsupported"
     ATTRS{power/runtime_suspended_time}=="0"
     ATTRS{power/runtime_usage}=="0"
     ATTRS{waiting_for_supplier}=="0"

  3. lsusb; echo;lsusb -t

     Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
 Bus 002 Device 003: ID 0fe6:9700 ICS Advent DM9601 Fast Ethernet Adapter
 Bus 002 Device 002: ID 80ee:0021 VirtualBox USB Tablet
 Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

 /:  Bus 02.Port 1: Dev 1, Class=root_hub, Driver=ohci-pci/12p, 12M
     |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M
     |__ Port 2: Dev 3, If 0, Class=, Driver=dm9601, 12M
 /:  Bus 01.Port 1: Dev 1, Class=root_hub, Driver=ehci-pci/12p, 480M

Linux 内核黑名单

您可能注意到usbnet(模块)已从 udev 监视器输出中加载。

Udev 规则

一个似乎很清楚的情况是:

ACTION=="add",SUBSYSTEM=="net", SUBSYSTEMS=="usb",...

因此,这是新添加 有一个父节点USB节点。

然后定位该叶节点或其父节点,以将其移除、取消授权或解除其驱动程序的绑定。例如这个答案是关于阻止 USB 存储设备

答案2

我认为usbguard可能很适合你。设备类别 ID,规则如下:

block with-interface equals { 02:*:* }
block with-interface equals { 0A:*:* }
block with-interface equals { E0:*:* }
allow

当然,你也可以更具体,建立一个白名单等等。你可能还想将你的蓝牙设备列入白名单。包裹有例子;还有一个小程序

也可能存在“纯 udev”方式。

答案3

我认为这种攻击不再起作用,因为内核为 USB 以太网接口分配了较低的优先级。

因此,系统将继续使用您当前正在运行的接口,而不是新插入的 USB 转以太网接口。

至少,我上次尝试时,它就是这样工作的。只需查看 的输出即可ip route。USB 转以太网接口的度量将高于前一个接口。因此优先级较低。

因此,要实现该功能,攻击者必须拔掉你的以太网电缆或执行解除授权攻击你的 wifi 接口。

相关内容